4 #include "secpoll-recursor.hh"
7 #include "arguments.hh"
9 #include "validate-recursor.hh"
12 #ifndef PACKAGEVERSION
13 #define PACKAGEVERSION getPDNSVersion()
16 uint32_t g_security_status
;
17 string g_security_message
;
19 void doSecPoll(time_t* last_secpoll
)
21 if(::arg()["security-poll-suffix"].empty())
24 string
pkgv(PACKAGEVERSION
);
26 gettimeofday(&now
, 0);
28 if (g_dnssecmode
!= DNSSECMode::Off
)
30 vector
<DNSRecord
> ret
;
32 string version
= "recursor-" +pkgv
;
33 string
qstring(version
.substr(0, 63)+ ".security-status."+::arg()["security-poll-suffix"]);
35 if(*qstring
.rbegin()!='.')
38 boost::replace_all(qstring
, "+", "_");
39 boost::replace_all(qstring
, "~", "_");
41 vState state
= Indeterminate
;
42 DNSName
query(qstring
);
43 int res
=sr
.beginResolve(query
, QType(QType::TXT
), 1, ret
);
45 if (g_dnssecmode
!= DNSSECMode::Off
&& res
) {
46 state
= sr
.getValidationState();
50 L
<<Logger::Error
<<"Could not retrieve security status update for '" +pkgv
+ "' on '"<<query
<<"', DNSSEC validation result was Bogus!"<<endl
;
51 if(g_security_status
== 1) // If we were OK, go to unknown
52 g_security_status
= 0;
56 if(!res
&& !ret
.empty()) {
57 string content
=ret
.begin()->d_content
->getZoneRepresentation();
58 if(!content
.empty() && content
[0]=='"' && content
[content
.size()-1]=='"') {
59 content
=content
.substr(1, content
.length()-2);
62 pair
<string
, string
> split
= splitField(content
, ' ');
64 g_security_status
= std::stoi(split
.first
);
65 g_security_message
= split
.second
;
67 *last_secpoll
=now
.tv_sec
;
70 if(pkgv
.find("0.0.") != 0)
71 L
<<Logger::Warning
<<"Could not retrieve security status update for '" +pkgv
+ "' on '"<<query
<<"', RCODE = "<< RCode::to_s(res
)<<endl
;
73 L
<<Logger::Warning
<<"Ignoring response for security status update, this is a non-release version."<<endl
;
75 if(g_security_status
== 1) // it was ok, now it is unknown
76 g_security_status
= 0;
77 if(res
== RCode::NXDomain
) // if we had NXDOMAIN, keep on trying more more frequently
78 *last_secpoll
=now
.tv_sec
;
81 if(g_security_status
== 2) {
82 L
<<Logger::Error
<<"PowerDNS Security Update Recommended: "<<g_security_message
<<endl
;
84 else if(g_security_status
== 3) {
85 L
<<Logger::Error
<<"PowerDNS Security Update Mandatory: "<<g_security_message
<<endl
;